Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72675
Return-Path: <damz@damz.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55702 invoked from network); 18 Feb 2014 10:38:38 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Feb 2014 10:38:38 -0000
Authentication-Results: pb1.pair.com smtp.mail=damz@damz.org; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=damz@damz.org; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain damz.org designates 209.85.223.181 as permitted sender)
X-PHP-List-Original-Sender: damz@damz.org
X-Host-Fingerprint: 209.85.223.181 mail-ie0-f181.google.com  
Received: from [209.85.223.181] ([209.85.223.181:49101] helo=mail-ie0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 46/E0-64799-B2833035 for <internals@lists.php.net>; Tue, 18 Feb 2014 05:38:36 -0500
Received: by mail-ie0-f181.google.com with SMTP id rl12so2134627iec.12
        for <internals@lists.php.net>; Tue, 18 Feb 2014 02:38:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=damz.org; s=google;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=K+zOlpo+m3sL7GF7jVru4dpAKimrK1ZupIQZ3p1WqN0=;
        b=oV3kXe2HUcQGYdtcOMQRnjzuWZcxjyPLHH31lAZeGpuN6NxhIs6RS239XFMYS6B/zH
         +jSFvVz91AjF3f7ORa8wNSov21mXWWjSX3XAlzowqxtGUlXN4mkERX0YijALmDz+YISM
         P6gsmM1stGi4POCZKadVNmd3G0IAVfehNovcI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:in-reply-to:references:date
         :message-id:subject:from:to:cc:content-type;
        bh=K+zOlpo+m3sL7GF7jVru4dpAKimrK1ZupIQZ3p1WqN0=;
        b=KODiRWifUIoSKaPvgQPfXW+vHQt20871H/AgQNA/nS2+UfiG7/wv0gI3rgpADYRNG6
         wG5vgyFx+bVJjZLNaZYNgdT2jtMFKxSp69Pzc/I2mzwX4wYgd3ZshIywWJqESYY1+vsm
         9ffPE6ro8I+CYdmiQWjadG1FmvbvXIyNHZSpwSUoqEuU2c1ri5t722rAJAcG2Kt9NHtV
         Ksea/GM4EEZe1imXnkUE6W0XEx0EUIeJtVKisNZJF30PKMQoPXyLSupH+RCLs4YbLUXr
         ydBsJSf2ClVH9piqHANffqVyIJUdMD8NyvzAn2xTooDXlISL2dwT7NTXL8oAECJiXvk4
         ajFA==
X-Gm-Message-State: ALoCoQnekGeofmFdZJ09nQESpAHTwImCp1BmvVS6RUfySLrvYXBz4X856yOKbAm6x0tMAO/LwykZ
MIME-Version: 1.0
X-Received: by 10.50.151.168 with SMTP id ur8mr21304866igb.27.1392719913633;
 Tue, 18 Feb 2014 02:38:33 -0800 (PST)
Received: by 10.50.23.129 with HTTP; Tue, 18 Feb 2014 02:38:33 -0800 (PST)
X-Originating-IP: [79.87.165.163]
In-Reply-To: <CAGa2bXbNU-8HbbRrT5v33NWJPuQKSqxQa7HYDnKdrX07qfndBw@mail.gmail.com>
References: <CAGa2bXbNU-8HbbRrT5v33NWJPuQKSqxQa7HYDnKdrX07qfndBw@mail.gmail.com>
Date: Tue, 18 Feb 2014 11:38:33 +0100
Message-ID: <CALWK-fg8R8vs1ehKQGbMEMKaK7uB-HoTLVvpU+GV-dfs4kWt5w@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=e89a8f3b9fabb960c004f2abdfa3
Subject: Re: [PHP-DEV] [VOTE] Secure Session Module Options/Internal by Default
From: damz@damz.org (Damien Tournoud)

--e89a8f3b9fabb960c004f2abdfa3
Content-Type: text/plain; charset=ISO-8859-1

Hi there,

I remember that the `use_strict_mode=on` added in PHP 5.5 was broken and
would prevent the application from setting a session ID by itself. This is
actually fairly common, about 800k Drupal 7 websites do that.

Unless this is fixed, this setting just cannot be enabled by default.

Damien Tournoud


On Mon, Feb 17, 2014 at 5:27 AM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:

> Hi all,
>
> This RFC changes default session settings and introduces a new
> setting that disables possible timing attack against session ID. All
> of them help to improve general session ID security except
> hash_bits_per_character change.
>
> NIST discourages use of SHA-1 years ago. It proposes to use
> SHA-256 as the default hash function for session. To reduce
> size of session ID string, hash_bits_per_character=6 is proposed.
>
> https://wiki.php.net/rfc/secure-session-options-by-default
>
> Thank you for voting!
>
> P.S. Although, the change is trivial, if anyone would like to see
> patch for this, I'll prepare one ASAP.
>
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>

--e89a8f3b9fabb960c004f2abdfa3--